It should come as no surprise that the U.S. federal government takes cybersecurity quite seriously. After all, federal agencies manage massive stores of sensitive data, including information related to national and international security and public health, as well as the personal information of most residents of the country.
FISMA, meaning the Federal Information Security Management Act, provides a comprehensive framework and set of requirements to help federal agencies establish a strong, risk-based approach to cybersecurity.
No federal agency is exempt from the guidelines laid out in FISMA, so if you handle data for a federal agency or provide other services subject to FISMA compliance, it’s important to gain a firm understanding of FISMA and its impact on your day-to-day operations.
FISMA Compliance Overview
FISMA was signed into law as part of the E-Government Act of 2002 and updated in 2014 with some important changes.
Scope of FISMA
FISMA requirements applies to all U.S. government agencies, as well as state agencies that administer federal programs such as unemployment insurance, student loans, Medicare and Medicaid.
The act also applies to private businesses that have contractual relationships with these state agencies, support a federal program or receive federal grant money. Private entities whose only connection to the federal government is being a grant recipient are often caught off guard, but they are required to implement the federal information security controls of FISMA.
Benefits of FISMA Compliance
Government agencies at every level have been targeted by cyber criminals more frequently in recent years; leaked Pentagon documents are one of the latest of several high-profile data breaches. Data leaks cost agencies significant amounts of money and can cause damage to the people whose private information is compromised.
For non-government organizations, FISMA compliance enables them to become contractors to federal agencies. Moreover, voluntarily following FISMA requirements can help organizations reduce risks to their sensitive data, which in turn helps them avoid the financial and other damage associated with data breaches.
Penalties for FISMA Compliance Violations
Failing to comply with FISMA can result in a host of unwelcome repercussions, including:
- Censure by Congress
- Reduction in federal funding
- Increased government oversight
- Damage to reputation
Related Guidelines and Standards
FISMA and OMB Guidelines
The Office of Management and Budget (OMB) released guidelines in April 2010 that require agencies to provide real-time system information to FISMA auditors to allow for continuous monitoring of FISMA-regulated information systems. The OMB guidelines include several requirements outlined in the Federal Information Processing Standards (FIPS) of the National Institute of Standards and Technology (NIST).
Two FIPS security standards are required by FISMA:
- FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems) addresses the FISMA requirement to develop standards for categorizing information and information systems. FIPS 199 requires a “common framework and understanding” that promotes effective management and oversight of information security programs, and consistent reporting to the OMB and Congress regarding the adequacy and effectiveness of information security policies, procedures and practices.
- FIPS 200 (Minimum Security Requirements for Federal Information and Information Systems) establishes the “minimum levels of due diligence for information security” for federal agencies. The goal here is to establish a consistent, comparable and repeatable approach for “selecting and specifying security controls for information systems that meet minimum security requirements” laid out by the guidelines.
FISMA and NIST Standards
Several NIST standards correlate directly with FISMA compliance, including:
- NIST SP 800-39 (Guide for Applying the Risk Management Framework to Federal Information Systems) — This document provides guidance for implementing an integrated program for information security risk management in order to protect organizational assets, individuals, other organizations and the U.S. as a whole from risks resulting from the operation and use of federal information systems. It outlines a “structured yet flexible approach” to risk management in an intentionally broad way. Specific directives aimed at implementing these programs are provided within supporting NIST standards and guidelines.
- NIST SP 800-37 (Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach) — This document offers a “disciplined, structured, flexible process for managing security and privacy risk.” It includes information about information security categorization, control selection, implementation, assessment, system and common control authorizations, and continuous monitoring.
- NIST SP 800-30 (Guide for Conducting Risk Assessments) — This document provides details about assigning risk management categories and determining appropriate courses of action in response to those risks. It provides a framework for carrying out the risk assessment process, including how to prepare for, conduct and communicate the results of an assessment.
- NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) — This document catalogs security and privacy controls for all federal information systems except those related to national security. It outlines the steps of the Risk Management Framework related to security control selection in accordance with the security requirements in FIPS 200.
- NIST SP 800-53A (Guide for Assessing the Security Controls in Federal Information Systems and Organizations) — This document lists guidelines for building “effective security assessment plans and privacy assessment plans.” It also provides procedures for assessing the effectiveness of security and privacy controls used in information systems.
FISMA and FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is similar to FISMA in that it provides standards for agencies regarding vulnerable federal data. However, FedRAMP focuses on cloud-based data and provides an avenue for agencies that need to validate cloud computing services for FISMA compliance.
FedRAMP also provides guidance for managing risk and validating cloud services used by federal agencies. Given today’s increasing reliance on the cloud, many modern FISMA-compliance software solutions include features for compliance with FedRAMP.
FISMA Requirements
The following seven FISMA requirements represent some of the most crucial elements of the act.
Maintain an Information System Inventory
An information system inventory should include all systems or networks that can access federal agency data, including those not operated by (or under the control of) the agency itself, as well as the interfaces between systems. NIST SP 800-18, Revision 1 (Guide for Developing Security Plans for Federal Information Systems) provides guidance for determining how to group information systems and their boundaries.
Categorize Information Systems
FISMA requires categorizing information systems and data based on the impact its compromise could have:
- Low impact — A degradation in mission capability to an extent and duration that the organization is still able to perform its primary functions but with the effectiveness of the functions being noticeably reduced. Examples include:
- Minor damage to organizational assets
- Minor financial loss
- Minor harm to individuals
- Moderate impact — Significant degradation in mission capability to an extent and duration that the organization is still able to perform its primary functions but with the effectiveness of the functions being significantly reduced. Examples include:
- Significant damage to organizational assets
- Significant financial loss
- Significant harm to individuals that does not involve loss of life or serious, life-threatening injuries
- High impact — Severe degradation in or loss of mission capability to an extent and duration such that the organization is not able to perform one or more of its primary functions. Examples include:
- Major damage to organizational assets
- Major financial loss
- Severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries
FIPS 199 and SP 800-60 provide information about categorizing information systems and data.
Design and Maintain a System Security Plan
NIST SP 800-18 provides guidelines for security plan development and implementation, and for setting up a review plan to periodically assess operational security.
Conduct Risk Assessments
NIST SP 800-37 and NIST SP 800-30 provide information about conducting risk assessments in order to analyze current threats, anticipate new ones and choose security controls that will reduce risk to an acceptable level.
Utilize Appropriate Security Controls
FIPS 200 provides details about selecting baseline security controls and applying tailored guidance and supplemental control as needed based on risk assessment.
NIST SP 800-53 lists security controls for agencies to consider implementing. These controls can be applied flexibly so that they align with the agency’s mission and operational environment, provided that the agency documents the selected controls in its system security plan.
Conduct Continuous Monitoring
NIST SP 800-37 and SP 800-53A lay out the guidelines for continuous security system monitoring. Monitoring in this context includes the System Integrity (SI), Configuration Management (CM), Incident Response(IR) and Audit (AU) categories.
Perform Annual Reviews
To maintain FISMA compliance, agencies must conduct annual reviews of their information security programs. These reviews are conducted by inspectors general, chief information officers (CIOs), and other federal program officials.
Once the reviews have been conducted, agencies report the results to the OMB, which prepares an official annual FISMA compliance report to Congress.
Achieve Certification and Accreditation (C&A)
Agencies need to achieve FISMA Certification and Accreditation (C&A) through a process that includes four phases:
- Initiation and planning
- Certification
- Accreditation
- Continuous monitoring
C&A is not a one-time event; OMB requires periodic recertification and re-accreditation for FISMA-regulated agencies.
FISMA Best Practices
To help your organization achieve and maintain FISMA compliance, follow these best practices:
- Gain a high-level view of the sensitive data you store and process.
- Run periodic risk assessments to identify, prioritize and remediate information security gaps.
- Regularly evaluate how well your security controls and policies work to protect your systems.
- Maintain evidence of how you’re complying with FISMA.
- Monitor for updates to FISMA.
- Conduct ongoing employee training to keep your team up to date on both FISMA requirements and cybersecurity threats.
How Netwrix Can Help
Simply knowing the answer to the question “What is FISMA compliance?” doesn’t give you the strategies you need to implement changes to your business. It certainly doesn’t give you the budget OMB changes may require.
Netwrix offers easy, cost-effective compliance audit solutions that help you secure your enterprise and satisfy auditors. With out-of-the-box templates, hardened build standards, password policies and more, you can kickstart your FISMA compliance strategy.
If you’re ready to reclaim your nights and weekends by slashing audit preparation effort by up to 85% while proving your organization meets FISMA compliance requirements, request a free demo with Netwrix today.
FAQ
1. What is FISMA?
FISMA stands for the Federal Information Security Management Act. It is a U.S. federal law that provides a comprehensive framework aimed at protecting sensitive information.
2. Who must comply with FISMA?
FISMA rules apply to all US federal government agencies, as well as state agencies that administer federal programs. It also applies to private businesses involved in contractual relationships with these state agencies, including those that provide services, support a federal program or receive federal grant money.
3. What are the penalties for FISMA noncompliance?
Government agencies and related private companies can face several penalties for failing to stay compliant with FISMA, including:
- Censure by Congress
- Reduction in federal funding
- Damage to reputation
- Increased government oversight
4. What is the relationship between NIST and FISMA?
NIST (the National Institute of Standards and Technology) publishes several guides to help organizations in achieving and maintaining compliance with FISMA.
5. What is FISMA certification?
It’s not enough for organizations to act FISMA-compliant. Once you’ve implemented the appropriate controls, you need to prove that you’re following FISMA standards. OMB lays out the certification and accreditation process, which must be repeated regularly.
